Skip to content

Add Azure platform detection to the translator#2183

Open
movence wants to merge 5 commits into
mainfrom
feature/azure-detection
Open

Add Azure platform detection to the translator#2183
movence wants to merge 5 commits into
mainfrom
feature/azure-detection

Conversation

@movence

@movence movence commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds automatic Azure platform detection to the CloudWatch Agent translator so Azure VM and AKS environments generate the correct OTEL configuration with no customer input, without affecting existing AWS (EC2/ECS/EKS/on-prem) detection.

What changed

  • New translator/util/azuredetector package
    • IsAzureVM() detects an Azure VM by querying the Azure Instance Metadata Service through the contrib metadataproviders/azure provider (azuremeta.NewProvider().Metadata()). The IMDS HTTP specifics (endpoint, Metadata: true header, response parsing) are owned by the contrib provider; this package wraps that call with a short per-attempt timeout, a bounded retry, and result caching — added here because the contrib client ships none of those. Any probe error is treated as retryable and a definitive (non-error) result is cached.
    • IsAKS() reads the RUN_IN_AKS environment variable set by the AKS Helm chart.
  • Mode resolution (translator/util/sdkutil.go) — AWS-first: Azure is only considered after every AWS signal (RUN_IN_AWS, IRSA, EC2, ECS) is exhausted; EKS keeps precedence over AKS. AKS nodes resolve to the AzureVM host mode. Detection runs once at startup.
  • Platform modesModeAzureVM / ModeAKS (+ short modes) added to the context SetMode/SetKubernetesMode.
  • Generated config driven by platformresourcedetection emits [env, azure] for Azure VM and [env, aks, azure] for AKS; the oidctoken extension is emitted on Azure VM (provider: azure) so telemetry egress can later obtain a bearer token from Azure IMDS. Wiring oidctoken as the exporter authenticator (replacing sigv4auth) is follow-up egress work and is intentionally out of scope for platform detection — the extension is emit-only at this stage.

Testing

  • Detector unit tests use a fake azuremeta.Provider stub covering detected, not-Azure, unreachable, transient-error-not-cached, and result-cached cases, plus RUN_IN_AKS env stubs — all pass with -race.
  • Mode-resolution table tests assert AWS (EC2/ECS/IRSA) and EKS results are unchanged even when the Azure signal is forced true.
  • Golden tocwconfig fixtures for Azure VM and AKS validate the full JSON→YAML translation (including resourcedetection detectors and the oidctoken extension) through xconfmap.Validate.
  • go build ./..., go vet, gofmt, and the repo-pinned golangci-lint are clean.

Validated on a real Azure VM

Ran the built config-translator on a live Azure VM (Standard_D2s_v3) and diffed the generated OTEL YAML against the golden fixtures:

  • Azure VM (-mode auto, live IMDS): detected AzureVM; output byte-identical to host_metrics_azurevm_config.yaml — detectors [env, azure] + oidctoken (provider: azure).
  • AKS (RUN_IN_AKS=True + RUN_IN_CONTAINER=True): detected AzureVM host + AKS; byte-identical to host_metrics_aks_config.yaml — detectors [env, aks, azure].
  • AWS unaffected: -mode ec2[eks, env, ec2], no Azure detectors; RUN_IN_AWS=True on the Azure VM still resolves to EC2 (AWS wins over Azure).

@movence movence requested a review from a team as a code owner July 1, 2026 13:59
@movence movence changed the title Add Azure VM + AKS platform detection to the translator Add Azure platform detection to the translator Jul 1, 2026
@movence movence added the ready for testing Indicates this PR is ready for integration tests to run label Jul 1, 2026
@movence movence force-pushed the feature/azure-detection branch from a563d67 to f75cc53 Compare July 1, 2026 14:14
Comment thread translator/translate/otel/extension/oidctoken/translator.go
Comment thread translator/util/azuredetector/azuredetector.go
Comment thread go.mod
Comment thread translator/util/sdkutil_test.go Outdated
Comment thread translator/translate/otel/extension/oidctoken/translator.go
Comment thread translator/translate/otel/processor/resourcedetection/configs/aks_config.yaml Outdated
Comment thread translator/context/context.go
@movence movence force-pushed the feature/azure-detection branch from f75cc53 to d3cb5fa Compare July 1, 2026 15:53

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll want to have a separate transform configuration for Azure, but that can be done in a separate PR if you want.

Comment thread translator/translate/otel/translate_otel.go Outdated
Comment thread translator/translate/otel/extension/oidctoken/translator.go Outdated
Comment thread translator/translate/otel/extension/oidctoken/translator.go
Comment thread translator/tocwconfig/tocwconfig_test.go Outdated
Comment thread translator/util/oidctokenpath.go Outdated
Comment thread translator/util/azuredetector/azuredetector.go Outdated
Comment thread translator/util/azuredetector/azuredetector.go Outdated
Comment thread translator/util/azuredetector/azuredetector.go Outdated
Comment thread translator/util/azuredetector/azuredetector.go Outdated
Comment thread translator/util/sdkutil.go Outdated
Comment on lines +119 to +125
// Azure VM/AKS (AKS resolves to ModeAzureVM) reaches AWS only via oidctoken->sigv4 web identity, which needs role_arn.
if context.CurrentContext().Mode() == config.ModeAzureVM {
if agent.Global_Config.Role_arn == "" {
return nil, errors.New("credentials.role_arn is required on Azure VM/AKS for the oidctoken web-identity credential chain")
}
pipelines.Translators.Extensions.Set(oidctoken.NewTranslator())
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel like this should be defined in a pipeline that actually uses it. Either the opentelemetry one or some other one. For example, if I run this on Azure with something that doesn't use the sigv4auth extension, the oidctoken extension isn't actually being used.

@movence movence force-pushed the feature/azure-detection branch from ca45a7a to f39901a Compare July 7, 2026 13:36
Comment thread tool/paths/paths.go Outdated
Comment thread translator/util/oidctokenpath.go Outdated
@movence movence force-pushed the feature/azure-detection branch 3 times, most recently from 1d895aa to 149f638 Compare July 7, 2026 16:06
Comment thread translator/util/sdkutil.go Outdated
// hasSigv4auth reports whether a sigv4auth extension is present, i.e. some pipeline will consume the oidctoken file.
func hasSigv4auth(extensions common.ComponentTranslatorMap) bool {
for _, id := range extensions.Keys() {
if id.Type().String() == "sigv4auth" {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use sigv4authextension.NewFactory().Type() instead of hardcoding?

@movence movence force-pushed the feature/azure-detection branch from 149f638 to 1892de0 Compare July 7, 2026 20:46
jefchien
jefchien previously approved these changes Jul 7, 2026
movence added 5 commits July 8, 2026 21:20
Detect Azure VM (via Azure IMDS 169.254.169.254 /metadata/instance with the
mandatory "Metadata: true" header) and AKS (via the RUN_IN_AKS env var set by
the AKS Helm chart), then drive the generated OTEL config from the detected
platform with no customer input:

- New translator/util/azuredetector package: cached IMDS probe (bounded timeout,
  transient-error retry, redirect refusal, compute-body validation, proxy
  disabled for the link-local address) + RUN_IN_AKS env signal.
- AWS-first mode resolution: Azure is only considered after every AWS signal
  (RUN_IN_AWS, IRSA, EC2, ECS) is exhausted; EKS keeps precedence over AKS.
  AKS nodes resolve to the AzureVM host mode.
- resourcedetection emits [azure, env] for Azure VM and [aks, env] for AKS.
- oidctoken extension wired on Azure VM (Provider=azure) to obtain a bearer
  token from Azure IMDS for telemetry egress.

Adds unit tests (httptest mock IMDS + env stubs), context mode handling, and
golden tocwconfig fixtures for Azure VM and AKS.
…omment

- oidctoken output_token_file derives from target platform (fixes Windows CI)
- guard EC2 ARN cloud.resource_id transform with cloud.provider == aws
- correct azuredetector retry comment (all errors retryable, not cached)
…ce_id guard

- sigv4auth sets assume_role.web_identity_token_file to the oidctoken path for AzureVM
- guard EC2 cloud.resource_id transform with cloud.platform == aws_ec2 (was cloud.provider == aws, which fired on ECS/EB/Lambda)
- move oidc token file to the agent etc dir
- add AzureVMWithRoleARN sigv4 test; concise comments
…on Azure

- Move the OIDC token file path to translator/util (OIDCTokenFilePath), the
  single source of truth read by both oidctoken (writer) and sigv4auth (reader);
  removes the sigv4auth->oidctoken package import.
- Emit oidctoken whenever Mode()==AzureVM (AKS resolves to AzureVM), and require
  credentials.role_arn: Azure VM/AKS reaches AWS only via the oidctoken->sigv4
  web-identity chain, so a missing role_arn is a hard translate error, not a
  silent skip that would defer the failure to runtime.
- Drop the unreachable ProviderAuto branch; the extension is only emitted for
  Azure, so the provider is always Azure.
…detector, gate oidctoken on sigv4auth

- Fix CI lint (gosec G101): move the OIDC token path into tool/paths (OIDCTokenFile
  + LinuxOIDCTokenPath, literal so it stays linux-valued when targeting linux on a
  Windows build host); util.OIDCTokenFilePath now sources from there.
- azuredetector: drop the IsAzureVMCache struct/unused Err and the mutex in favor of
  atomic.Pointer[bool]; remove the dead probeAzureIMDS indirection var and the isAKS
  wrapper (IsAKS = envconfig.IsRunningInAKS directly); use for range on the retry loop.
- sdkutil: collapse the isAKS/isAzureVM wrappers now that azuredetector returns bool.
- Emit oidctoken only when a sigv4auth extension is present (co-located with the
  consumer, across all sigv4auth pipelines), instead of on ModeAzureVM alone.
@movence movence force-pushed the feature/azure-detection branch from 995937d to 3440113 Compare July 8, 2026 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready for testing Indicates this PR is ready for integration tests to run

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants